The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself.

Archive for July, 2009

At times, the features used to help secure browsers and keep communications private are less effective than users think — and may even be a detriment to privacy. Joshua “Jabra” Abraham and Robert “RSnake” Hansen, in their talk “Unmasking You”, used techniques to yield some juicy tidbits about a target’s browsing habits, installed software, and more. “Jabra” took a some time to chat with Zach about some of the things that were uncovered.

While many talks at BlackHat focus on security from a technical standpoint, James Arlen and Tiffany Rad presented on something a bit different — securing yourself. The talk, entitled “Your Mind – Legal Status, Rights and Securing Yourself”, focused on current and future legal, privacy, and data ownership issues that affect just about all of us. Zach snagged James in the hall to talk a bit more about his talk, and to find out if us privacy nuts still have a fighting chance.

Jeremiah Grossman and Trey Ford are two of the big brains behind Whitehat Security. Their presentation, Mo’ Money Mo’ Problems: Making a LOT more money on the Web the Black Hat Way, was a graphic example of how bad guys are making money. More importantly, they really pointed out how huge the amounts of money the bad guys are making with minimal technical prowess. The point they made that resonates with me personally is the difference between risk-based security and compliance based security.

It helps in getting an interview with speakers when the speakers are co-workers. Kevin Stadmeyer and Garrett Held gave a talk called “Worst of the Best of the Best”, taking on the various industry awards and the questioning what goes into giving the awards. Since most of the people in are industry are fairly cynical, we probably aren’t going to be that surprised by the results.

The Lockpick Village is always one of the more fun places to visit during Defcon. Babak Javadi and Deviant Ollam from Toool took time out of setting up for the Village and came over to talk to me about a new emergency credit card lockpick set that they’ll be selling this weekend and some of the events they’ll have going on over the weekend. The lockpick set looks great, and at only $20, it’s something you can easily afford to keep in your wallet all the time. And both Deviant and Babak say it’s something that they’ve taken through airport security many times. Their big announcement is that the winner of the speed picking contest this year will win a trip to Turkey for the competition next year! They also hint at an interesting reward for the Gringo competition, but they say we’ll have to wait until the closing ceremonies to find out what that is.Black Hat Microcast 3 – Babak Javadi and Deviant Ollam from Toool

Rich, Zach and Martin gather to review the talks we’ve seen today, the people who we’ve talked to and some of the interesting things we’ve seen so far at Black Hat. It’s not even the end of the first day yet and we’re all exhausted, yet there’s still the first night of parties to go explore. We’re planning on doing the wrap-ups every day through Sunday.

This week Symantec announced a new offering the Cyber Threat Analyst Program. CTAP embeds an analyst in your company and uses the analyst’s experience with Symantec’s global inforamation services and applies it your unique environment. This is not an offering for the SMB market, but something that enterprises and government entities will be using. Tim explains this offering and gives a little of his own opinions on what he’s seen at Black Hat so far.

I’m jealous. Rich is already in Vegas, our guest host Zach Lanier should be there soon, while I’m still in California and have to get up at 4am tomorrow morning to catch my flight. On the other hand, nothing’s really happening until I get there in any case, but I’d rather be there sooner than later. There’s already been a little drama with the Matasano site being hacked over the weekend and Dan Kaminsky’s site getting hacked today. Rich says Dan got his site back pretty fast, but it’s still annoying. And then there’s the out of cycle Microsoft patch that was released today, which is bound to get a little attention. Oh yeah, Rich also released a little paper on patching that was sponsored by Microsoft.

No real show notes tonight, I have to go pack. Starting tomorrow, we’ll be coming at you fast and furious with a series of near live ‘microcasts’, the 5-20 minute interviews we do as often as we can corner people in the hallways. Should be interesting.

Repeat after me: “Being compliant does not mean you’re secure. Being compliant doesn’t mean you’re secure.” Keep muttering that to yourself while you read the rest of this post. If you have a bluetooth headset, people might not even think you’re crazy.

If you haven’t already heard, over the weekend Network Solutions announced that they’d been compromised and over half a million credit card records had been stolen. All we know about the attack so far is that it used ‘unauthorized code’ which could mean anything from a wholesale compromise by an outside attacker to a malicious insider placing the code for his own profit. In other words, they’ve really told us almost nothing about what happened and it’s quite likely that’s about all we’ll find out. The code transferred the the information to servers outside the company and while there’s no evidence yet that the stolen credit cards have been used for fraud, there’s also no evidence that they haven’t.

So why are we spending so much time on PCI if it doesn’t make our merchant and service providers secure? Network Solutions had been validated as PCI compliant by Payment Software Company (PSC) last October, so they were secure weren’t they? Once a merchant or service provider is compliant, that’s it, isn’t it?

The Payment Card Industry Data Security Standards are not a magic potion that will make a company secure. The requirements are mostly good practices and the annual review that merchants and service providers go through is not exhaustive and do not touch on every server in a company’s PCI environment. The PCI DSS is a minimum baseline companies should be complying with in order to take credit card numbers. Each network and each business is too different for any standard to cover in a horizontal market that includes everything from your corner Mom’n’Pop store to the likes of Amazon, Best Buy and Walmart. What PCI does, and does well, is raise the baseline of security for the entire market and hopefully makes it a little harder for the bad guys. But raising the bar for everyone may not raise it high enough to actually secure any one company and it’s up to the security professionals who work at those companies to realize that PCI isn’t a stopping point, it’s just one milestone along the way to securing the systems at their companies.

(1) PCI DSS assessments represent only a “snapshot” of security in place at the time of the review, and do not guarantee that those securitycontrols remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold bythese service providers.

Yes, Network Solutions was listed as having been validated last Halloween. Take a moment and think back to how your own network was configured and maintained last Halloween; have there been any changes to your network since then? Has anyone made any configuration mistakes on your systems in the last 10 months? Have there been any 0-day vulnerabilities that affect your servers since then? If you can answer ‘no’ to all of those questions, you’re either the best systems administrator I’ve never met or you’re lying to yourself. I’d lean towards the latter.

The PCI requirements don’t require a QSA to check every server on the network or even in a company’s PCI environment. They require the QSA to check a sample of systems for all of the PCI requirements. My own experience has been that you can tell pretty quickly if a merchant or service provider is following their own configuratioin and hardening standards or not. If they are, you might be able to reduce the sample size some and if they’re not, you might have to increase the sample size you’re assessing. In all except the very smallest merchants, there’s is no way even the most competent QSA can assess more than a sample of systems involved in the PCI process. It’d be great if we could review each and every system involved with cardholder data, but that’s why companies retain security personnel. The job of the QSA is not to verify every system, it’s to assess the security of a company as best they can in the few days they have on-site. It’s the job of the security and system professionals who work at a company day after day the rest of the year to ensure that the baseline of security PCI requires is kept current and that even the systems the QSA didn’t check are secure.

Like my friend Anton, I wish people would stop taking every breach of a PCI compliant company as proof that PCI has failed. We don’t scream that Microsoft is a failure every time a Windows server is compromised or state that the OWASP top 10 is worthless if a company follows the guidelines but still turns out insecure software. We acknowledge that the system has weaknesses, that people don’t follow guidelines as well as we might like and we move on. Just because one part of an overall system is flawed, we don’t declare the whole thing a failure. Instead, we work on improving the system and making it better so that the same problem doesn’t happen again. Or at least we try to. So why does anyone expect the PCI system to be perfect?

I have to admit, as a security professional, I’ve been woefully lacking in my exploration of the 4chan site. More accurately, I’ve been unwilling to stick my nose into what is known as one of the most disturbing and contentious sites on the entirety of the Internet. I know what 4chan is and have a number of friends who spend significant amounts of time there, but I’ve never had the need or desire to explore or spend any time on the site. But one thing I do know about 4chan is that you don’t want to stir up it’s denizens and find yourself on the receiving end of more unsavory attention than you even knew existed. Apparently AT&T didn’t understand that basic tenet of the Internet and started blocking 4chan in SoCal over the weekend, nearly creating a digital uprising they not have been able to handle. Luckily for them, they relented and unblocked 4chan before the real storm started.

4chan’s members range from web neophytes to some of the most talented hackers out there. The last time 4chan was in the news was this April when they gamed a Time poll to find the top 100 most influential people. Talent aside, just the sheer number of people who use the 4chan site worldwide is enough to cause a serious problem for AT&T, especially given their excitable nature. And all it would have taken on AT&T’s part to avert this disaster is a little bit of transparency, provided their reasons for blocking the site in the first place were authentic.